When running API Gateway integrated with Layer7 SiteMinder, one might
like to know how to implement the grace period for the SMSESSION
cookie.
API Gateway 10.0
SiteMinder 12.8
At first glance, Layer7 SiteMinder uses an ACO to control the grace
period for the SMSESSION cookie to be renewed, in order to avoid that
"the agent waits from the last accessed time of the received session
cookie before it generates a new session cookie" (1).
As you know already, the API Gateway only support 9 ACO at the moment
(2).
At time of writing this note (2021-05-12), this ACO isn't disponible
for API Gateway.
In order to get the Layer7 SiteMinder ACO parameter SessionGracePeriod
implemented for API Gateway, we invite you to submit an Enhencement
Request (Idea) on the Broadcom page :
1. Go to the "All Ideas" page :
https://community.broadcom.com/ideation/allideas
2. Click on the "Add" button.
3. In the "Select categories...", select "Layer7 Access Management".
4. Write a title in the "title" box.
5. Write a complete description of the Enahcement Request or
Certification you'd like to post.
6. Click on "Save" to get the Idea submitted !
(1)
Session Grace Period and Update Period Settings
SessionGracePeriod
Specifies the number of seconds the agent waits from the last
accessed time of the received session cookie before it generates a
new session cookie. Set the SessionGracePeriod to 0 to disable the
setting. If the setting is disabled, the agent updates session
cookies for every request.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/session-protection/session-grace-period-and-update-period-settings.html
(2)
Fetch ACO Properties to the Gateway Policy for Composing SMSESSION
Cookie with SSOToken
The following list of ACO parameters compose the SMSESSION cookie string:
ATTR_ACO_SSOZoneName constitutes SSOZoneName property
ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
ATTR_ACO_UseSecureCookies is used to indicate secure flag
ATTR_ACO_UseHttpOnlyCookies is used to indicate http only
Note: Except for the above ACO parameters, Gateway does not use
any other ACO parameters.
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/reference/context-variables/ca-single-sign-on-context-variables.html